Enabling DHCP Snooping (non-ELS)
DHCP snooping enables the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. The switch builds and maintains a database of valid bindings between IP address and MAC addresses (IP-MAC bindings) called the DHCP snooping database.
If you configure DHCP snooping for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP snooping on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.
Enabling DHCP Snooping
You configure DHCP snooping per VLAN, not per interface (port). By default, DHCP snooping is disabled for all VLANs. You can enable DHCP snooping on all VLANs or on specific VLANs.
To enable DHCP snooping:
On a specific VLAN:
[edit ethernet-switching-options secure-access port] user@switch# set vlan vlan-name examine-dhcp
On all VLANs:
[edit ethernet-switching-options secure-access port] user@switch# set vlan all examine-dhcp
To enable DHCPv6 snooping:
On a specific VLAN:
[edit ethernet-switching-options secure-access port] user@switch# set vlan vlan-name examine-dhcpv6
On all VLANs:
[edit ethernet-switching-options secure-access port] user@switch# set vlan all examine-dhcpv6
By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network devices, or hosts) must reacquire bindings. However, you can configure the bindings to persist by setting the switch to store the database file either locally or remotely. See Configuring Persistent Bindings in the DHCP or DHCPv6 (non-ELS).
For private VLANs (PVLANs), enable DHCP snooping on the primary VLAN. If you enable DHCP snooping only on a community VLAN, DHCP messages coming from PVLAN trunk ports are not snooped.
Applying CoS Forwarding Classes to Prioritize Snooped Packets
On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay, and might also need to configure the port security features of DHCP snooping on the ports through which those packets enter or leave.
Prioritizing snooped packets by using CoS forwarding classes is not supported on the QFX Series switch.
To apply CoS forwarding classes and queues to snooped packets:
Verifying That DHCP Snooping Is Working Correctly
Purpose
Verify that DHCP snooping is working on the switch and that the DHCP snooping database is correctly populated with both dynamic and static bindings.
Action
Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type VLAN Interface 00:05:85:3A:82:77 192.0.2.17 600 dynamic employee ge-0/0/1.0 00:05:85:3A:82:79 192.0.2.18 653 dynamic employee ge-0/0/1.0 00:05:85:3A:82:80 192.0.2.19 720 dynamic employee ge-0/0/2.0 00:05:85:3A:82:81 192.0.2.20 932 dynamic employee ge-0/0/2.0 00:05:85:3A:82:83 192.0.2.21 1230 dynamic employee ge-0/0/2.0 00:05:85:27:32:88 192.0.2.22 — static data ge-0/0/4.0
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. The statically configured entry never expires.
If the DHCP server had been configured as untrusted, no entries would be added to the
DHCP snooping database and nothing would be shown in the output of the show dhcp snooping
binding command.